Certain types of on-line services and applications are targets for hackers and other malicious individuals attempting to gain access to sensitive user information. This is particularly true for on-line financial applications such as Internet banking, on-line payment sites, and on-line brokerages. Common techniques used by hackers include the installation of viruses, Trojan horses, or spyware on a user's computer, phishing schemes, and man-in-the-middle attacks involving the interception of communication from the user's computer and an external server or device.
Various forms of authentication are used to provide security for on-line transactions. The forms of authentication are generally categorized in three classes: something the user is (e.g., a biometric such as a fingerprint), something the user has (e.g., a security token), and something the user knows (e.g., password). Security is strengthened by using multiple forms of authentication (referred to as “multi-factor” authentication) to verify the identity of a user.
In the various schemes described above, a hacker attempts to access the authentication data (referred to as a “credential”) associated with an authentication factor. Because the identity of the server is not authenticated during an access attempt, credentials are susceptible to hacking schemes involving establishment of an illegitimate servers. For example, in a phishing scheme, a user is tricked into entering his authentication credentials into a fake website having the look and feel of the legitimate site. The operator of the phishing website may then use those credentials to access the user's account and/or perform unauthorized transactions.
In man-in-the middle schemes, communication between the user and a server are intercepted. In other words, the user is led to believe that he is in direct communication with the server and vice versa. In actuality, the “man-in-the-middle” establishes separate connections with the user's device and the server. As a result, the man-in-the middle software logs all communication between the user's device and the server. Thus, credential sent in the clear over the communications connection between the user's device and the server are vulnerable.
Malicious code may also be surreptitiously installed on a user's computer. This malicious code may cause a user's keystrokes to be monitored or may cause communications to be intercepted. Thus, credentials stored in the clear on a user's device are vulnerable to certain forms of malicious code.
What is therefore needed are systems and methods for securing an authentication credential via verification of the user and verification of the server.
The present invention will now be described with reference to the accompanying drawings. In the drawings, like reference numbers can indicate identical or functionally similar elements. Additionally, the left-most digit(s) of a reference number may identify the drawing in which the reference number first appears.